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Network- Centric  Warfare  Demands  a 
Secure  and  Survivable  I  nformation  Grid 


Requirements  for  the  Navy’s  Command  and  Information  Infrastructure  are  flexibility, 
modular  system  design,  fast  and  easy  configuration,  and  information  assurance. 

--  Committee  on  Network-Centric  Naval  Forces 
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The  Navy's  Open  Architecture: 
Requirements  for  I  nteroperability 


“  [  The  Open  Architecture  will ...  ]  substantially  reduce  shipboard 
computer  maintenance  by  capitalizing  on  the  fact  that  application 
components  are  not  bound  to  computer  locality  but  instead  are 
free  to  migrate  to  available  processors  under  Resource 
Management  (RM)  control.” 

Open  Architecture  Computing  Environment  (NSWC  Dahlgren) 
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Distribution  Adaptation  Frameworks 


Mini 


Infrastructure  must  provide: 

•  Pool-of-computers  architecture 

•  Applications  not  bound  to  computer 
locality  but  migrate  to  available 
processors 

•  Functionally  distinct  self-contained 
applications  or  components 

•  Components  loosely  coupled  in  space 
and  time 

•  Applications  built  for  portability  and 
location  transparent  allocation  and 
operation 
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How  can  we  achieve  this? 


Software  agents  are  computer  programs  with  one  or 
more  of  the  following  attributes: 
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A  Case  for  Distributed  Agents: 

UAV  Swarms 
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A  Case  for  Distributed  Middleware: 


I  intelligent  Agent  Security  Module 


•  Real-time  Intrusion  Pattern  Detection  *  Identify  Attack  Sources 

•  Proactive  Attack  Identification  •  Forensic  Analysis  and  Data  Mining 

•  Cyberlab  -  Effectiveness  Metrics  •  Correlation,  Fusion,  and  Visualization 
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Threats  to  Interoperability 


“A  Network  Enabled  Battlespace  is  dangerous  if  content  is  not 
secured  and  guaranteed.  [...]  a  major  challenge  is  to  ensure  that 
data  and  communications,  at  rest  and  on  the  fly,  are  secure  each 
time,  every  time.”  --  Battlespace  Information  2003 


Interoperability  goals: 

•  reduce  total  ownership  costs 

•  quick  and  easy  system  upgrade 
and  reconfiguration 

•  lower  impact  of  COTS  upgrades 

•  reduce  compatibility  problems 


A 


THREATS 

COTS  flaws 
Insiders 
Nation  States 
Hackers 
User  mistakes 
Trojan  horses 
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I  nformation  Assurance  (I  A) 


“Information  Operations  That  Protect  and 
Defend  Information  and  Information  Systems 
by  Ensuring  Their  Availability,  Integrity, 
Authentication,  Confidentiality,  and  Non¬ 
repudiation.  This  Includes  Providing  for 
Restoration  of  Information  Systems  by 
Incorporating  Protection,  Detection,  and 

Reaction  Capabilities.  ” 


Joint  Doctrine  for  Information  Operations 
Joint  Pub  3-13,  Oct  9, 1998 
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I A I  s  An  Enabler 


We  Counton  I  nformation 
Superiority  to  I  mprove 
Combat  Effectiveness 

-  Full  Spectrum  Dominance 

-  Network  Centric  Warfare 

I A  Enables  I  nformation 
Superiority  in  a  Network- 
Centric  Paradigm 

-  Global  Secure,  /  nteroperable 
Network 

-  State-of-the  Art  Protection  for 
Information  Infrastructure 


Naval  Transformation 
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Focused  Logistics  Assured  Access 


Network  Centric  Warfare 
Info  Sharing  Virtual  Collaboration 
Streamlined  Planning  Better  Awareness 
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Solution:  Secure  and 
Reconfigurable  Middleware 


Distributed  middleware  researchers1  identify  the 
following  challenges: 


Programming  Abstractions 
Naming  and  Resource  Discovery 
Adaptive  Data  Fusion 
Adaptive  Distributed  Plumbing 
Failure  Semantics 
Runtime  Mechanisms 
System  Evaluation 


1  Ramachandran  U.,  et  al., 

9th  IEEE  Workshop  on  Future 
Trends  of  Distributed 
Computing  Systems,  May  2003. 


...  but  miss  the  most  important2  ones: 

■ Trustworthiness  2  Bharadwaj  R. ,  9th  IEEE 

■  Security  Workshop  on  Future  Trends  of 

■  Robustness  Distributed  Computing 

■  System  Survivability  Systems,  May  2003. 
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Secure  I  nfrastructure  for 
Networked  Systems  (SI  NS) 


•  Uses  software  agents  technology 

•  Addresses  security,  performance,  and  robustness 
(survivability  addressed  in  a  related  NRL  6.2  project) 

•  Builds  security  into  agent  middleware 


What  can  we  prove  about  agents  in  the  SINS  architecture? 

—  Completeness  and  Consistency  of  Agent  Behavior 

—  Mechanical  proofs  of  safety  properties  and  agent  compliance  with 
local  security  policies 

—  Determination  of  emergent  behavior  of  a  community  of  agents 
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Security  Agents  Enforce 
a  Consistent  Security  Policy 


ccnmiTv  Arrki 


SAFETY  PROPERTY 

Never  issue  a  CFF  if  forceCode  ==  <friendly> 


CRYPTO  ASSIST 
AGENTS 


AUTHORIZATION 

AGENTS 


APPLICATION-SPECIFIC 

AGENTS 


MONITORING 

AGENTS 


POLICY  ENFORCEMENT 
AGENTS 


•  intrusion  detection 

•  application  monitoring 

•  survivability 

•  infrastructure  monitoring 


Security  Agents  act  as  mini-firewalls  between 
an  application  and  the  OS  resources. 
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Design  Tradeoffs 


Functionality 
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Security  and  Survivability  must  be  considered 
in  the  context  of  applications. 
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Based  on  a  Dual- Layer  Approach 


Services 


Spatially  distributed  objects 


References: 

•  Bharadwaj  R,  “SOL:  A  Verifiable  Synchronous  Language  for  Reactive  Systems,”  In  Proc.  Synchronous 
Languages,  Applications,  and  Programming  (SLAP’02),  ETAPS  2002,  Grenoble,  France,  April  2002. 

•  Bharadwaj  R,  Froscher  J,  Khashnobish  A  and  Tracy  J.  “An  Infrastructure  for  Secure  Interoperability  of  Agents,” 
in  Proc.  Sixth  World  Multiconference  on  Systemics,  Cybernetics  and  Informatics,  Orlando,  FL  July  2002. 

•  Bharadwaj  R,  “SINS:  A  Middleware  for  Autonomous  Agents  and  Secure  Code  Mobility,”  In  Proc.  Second 
International  Workshop  on  Security  of  Mobile  Multi-Agent  Systems  (SEMAS-02),  First  International  Joint 
Conference  on  Autonomous  Agents  and  Multiagent  Systems  (AAMAS  2002),  Bologna,  Italy,  July  2002. 
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Secure  I  nfrastructure  for  Networked 

Systems  (SI  NS) 


Services 


Secure  Operations  layer  (SOI) 

BSBBSBBBgB 

Bfetjcibuted  Objects  Layer  (DOl) 


Domain  Engineering:  Identification  and  Design  of  SOL  Components 

•  Bharadwaj  R.  “Formal  Analysis  of  Domain  Models,”  in  Proc.  International  Workshop  on  Requirements  for 
High  Assurance  Systems  (RHAS’02),  Essen,  Germany,  September  2002. 

•  Kirby  J.  “Rewriting  Requirements  for  Design,”  in  Proc.  IASTED  International  Conference  on  Software 
Engineering  and  Applications  (SEA  2002),  Cambridge  MA,  November  2002. 

•  Bharadwaj  R.  “How  to  fake  a  Rational  Design  Process  using  the  SCR  Method,”  in  Proc.  Software  Engineering 
for  High  Assurance  Systems  (SEHAS  2003),  held  in  conjunction  with  the  International  Conference  on  Software 
Engineering  (ICSE),  Portland  OR,  May  2003. 
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Secure  Agent  Development  Process 


Secure  Agent  Standard  Agent 

Requirements  Decomposition  Design 
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Case  Studies 


Next-Generation  agent-based  Command  and  Control  Systems: 

•  Integrated  Marine  Multi- Agent  Command  and  Control  System 
(IMMACCS):  Agent-based  C2  system 

Real-time  Execution  Decision  Support  (REDS):  Decision  Support  System 
which  uses  agents  for  information  access  and  dissemination 

Current  agent-based  systems  cannot  guarantee: 

•  Integrity:  System  safety  and  information  assurance  are  not  considered 

•  Performance:  The  distributed  object  model  is  inefficient 

•  Robustness  :  Agents  are  brittle,  hard  to  create,  deploy,  and  debug 
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Case  Study:  I MMACCS 

System  I  ntegrity 


Domain  B 


) 


Agent  at 
Domain  A 


if  Radar.forceCode  ==  <iXt  friendly>  && 
then 

CallForFire. target  =  name  (Radar) 
CallForFire.controlMethod  =  WHEN  READY 
endif 


Integrity  factors 

•  information  leaks 

•  user  mistakes 

•  malicious  attacks 


Safety  Property 

Never  issue  a  Call  For  Fire  if  forceCode  ==  <friendly> 
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Case  Study:  I MMACCS 

Performance 


Domain  B 


Performance  factors 

•  replication  of  data 

•  bandwidth  of  links 

•  reliability  of  links 


Distributed  Objects 
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Study:  IMMACCS 
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Robustness  factors 

•  compositionality 

•  code  safety 

•  modularity 

•  dynamic 
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<3 


Evaluating  agent  behavior 

Completeness  and  consistency  of  emergent  agent  behavior 
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Three-  Pronged  Approach 
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Proposed  SI  NS  Architecture 
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Checking  Consistency  of  Emergent 

Agent  Behavior 


0 


if  Munitions.ECR  < 
TargetSize 

then  ratings  =  ratings  -  10 
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if  Munitions.CEP  < 
Munitions.ECR 
then  ratings  =  ratings  -  5 


if  Munitions.CEP  < 
Munitions.ECR 
then  ratings  =  ratings  -10 


Salsa:  NRL  Patented  Theorem 
Proving  Technology 


r7 

/ 

•Inconsistency! ! 


module  intel_agent 

functions 

target_size  =  20; 

type  definitions 

ratings  :  integer  range  [-20,100]; 

monitored  variables 
CEP,  ECR  :  integer; 

controlled  variables 
rating:  ratings; 

definitions 

var  rating  initially  100  := 
if 

[]  ECR  <  target_size  ->  rating  -10 
[]  CEP  <  ECR  ->  rating  -5 
[]  CEP  <  ECR  ->  rating  -10 
fi 

end  module  //  inteLagent 
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Salsa:  An  Automatic  Invariant  Checker 


Salsa  contains  30,000+ 
lines  of  source  code 
(previous  ONR  6.2  work) 
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The  UNSATISFIABILITY  CHECKER 
integrates  two  important  decision 
procedures:  a  BDD  algorithm  and 
an  integer  linear  constraint  solver. 


description  is  valid 


integers 


UNSATISFIABILITY  CHECKER 


description  invalid 
counterexample 
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FY  2003  Milestones 


1 .  SOL  (Secure  Operations  Language) 

—  Design  and  implementation  of  SOL  compiler  for 
distributed  agent  implementation  over  SSL  (Secure 
Sockets  Layer)  network  connections  [Bha03b,  KIB03]. 

—  Development  of  techniques  to  ensure  that  SOL  agents  are 
composable,  consistent,  safe,  secure,  and  verifiable. 
References  [Bha02]  and  [Bha03a]  provide  details. 

2 .  Agent  monitoring  and  coordination 

—  Design  of  Inter- Agent  Protocol  (designated  the  Agent 
Control  Protocol,  or  ACP)  and  a  secondary  protocol 
(Module  Transfer  Protocol,  or  MCP)  for  inter-agent 
communication  and  distributed  agent  deployment  [TB03]. 

3 .  Determining  emergent  properties  of  multi-agent  systems 

—  Implementation  of  translators  SOL2SAL  and  SAL2SOL  as 

interim  solution  for  using  formal  verification  tool  Salsa 
(implemented  in  previously  funded  ONR  6.2  project). 
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Overall  Project  Milestones 


FY03 


•  Secure  Operations  Language  (SOL) 

-  Making  SOL  composable,  consistent,  safe,  secure,  verifiable  ♦ 

-  Formal  proofs  of  application  properties  o 

S  Secure  Infrastructure  for  Networked  Systems  (SINS) 

-  Prototype  Implementation  ♦ 

-  Requirements  Elicitation  and  Design  o 

-  Demonstration  System 

•  Agent  monitoring  and  coordination 

-  Monitoring  architecture  over  physically  distributed  domains  ♦ 

-  Selecting  security  protocols  to  enforce/maintain  consistency  o 


-  Establishing  the  consistency  of  agent  behavior  and  data 

-  Establishing  that  agents  enforce  a  consistent  security  policy 

-  Obtaining  a  situational  awareness  picture  for  agents 

•  Security  Agents: 

-  Establishing  trust  in  security  agents 

•  Development  of  application-specific  security  agents: 

-  Intrusion  detection 

-  Survivability  and  adaptability 


FY04  FY05 


o 


♦ 


♦ 

o  ♦ 


♦ 

♦ 

♦ 


♦ 

♦ 

♦ 

♦ 


Key: 

♦ 

Milestone 

O 

Ongoing  Activity 
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Operational  Payoff: 

Secure  and  Efficient  C2  for  Combat  Systems 


35 


UNCLASSIFIED  -  APPROVED  FOR  PUBLIC  RELEASE 

Multi- Security  Levels: 
One  Role  for  Security  Agents 


Domain  A 

Security  agents  make  decisions 


Domain  B 


Sanitize  \ 
information  J 


optional  process  (e.g., 
remove  source,  fuzz 

image) - 


Enforce  organization  or 
application-specific 
release  policy 


Security  agents 
make  decisions 

Receive 
policy 
server 


Enforce 
authentication, 
integrity,  labeling, 
...,  policy 


Security  Agents  ensure  secure 
dissemination  of  information  across  domains 
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Transition  Opportunities 


•  Navy's  Open  Architecture  Computing  Environment 


Aegis-equipped  cruisers  and  destroyers 
SSDS-eauipoegl  farriers  ar^i  large  deck  amphibs 


UAV  Swarms 

Distributed  Sensor  Networ 
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Open  Architecture  Characteristics 


Designers  have  identified  the  following  requirements: 

•  Portability 

•  Location  transparency 

•  Loosely  coupled  components 
-  Time  and  space 

•  Preservation  of  data  integrity  across  threads, 
processes,  computers,  networks 


— 

NRL  Secure  Agents  Middleware  will  provide  these  characteristics. 
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Open  Architecture  Challenges 
Addressed  by  SI  NS 


We  have  identified  the  following  additional  challenges: 

•  Security 

-  Malicious  users 

-  Malicious  code 

-  Confidentiality 

•  I  impact  of  COTS  upgrades  on  applications 

-  I  mmature  standards 

-  30  year  lifetime 

-  Vendor-specific  changes 

•  Difficulty  of  finding  (COTS)  middleware  talent 

•  Complexity  of  (COTS)  middleware 


How  to  design  applications  with  the  desired  characteristics? 
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Agents  for  UAV  Swarms 


Context  Diagram  for  UAV  Swarm  i2eoeoD2jd< 
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Sensor  Networks 


Sensor  networks  collect  and  transfer 
information  critical  to  provide  a  complete, 
accurate  and  trusted  situational 
awareness  picture 


If  this  information  cannot 
be  trusted, 
it  cannot  be  utilized 


Enemy  Ship, 
troop,  aircraft 
Movements 


Chemical  Agent 
Detection 


(  \ 

C2 

Systems 

v _ ) 

SITUATIONAL 

AWARENESS 


Sensor  networks  are  thus  critical  components 
Their  security  is  critical! 
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Sensor  Network  Characteristics 


Sensor  Attributes 

•  Power  Constrained 

•  Limited  Memory 

•  Limited  Processor  Capability 

•  Expendable 


Communication  Capabilities 

•  Wireless  Interface 

•  Limited  Bandwidth 

•  Limited  Range 


Networking 

•  Ad  Hoc 

•  Self-Organizing 

•  Randomly  Failing  Nodes 

•  Dynamic  Routing 


Security  Threats 


Denial  of  Service  (e.g.,  Jamming) 
Compromise  (Sensor,  Network) 
Injection  of  False  Data 
Spoofing 


I 


Sensor  Network 


Mote  (tiny,  wireless)  Sensor 
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Secure  Middleware  For  Distributed  Applications 


Project  Description  &  Technical  Approach 

Design  and  advanced  prototype  development 
of  secure  distributed  middleware  for  efficient, 
reconfigurable,  and  scalable  system 
interoperability,  using  the  novel  concept  of 
“security  agents,”  i.e.,  mini-firewalls,  to  ensure 
system  integrity,  efficiency  and  robustness. 

Target  applications  are  information  network 
situational  awareness,  networked  C2  for 
combat  applications,  the  Open  Architecture, 
and  Unmanned  Aerial  Vehicle  (UAV)  swarms. 


Project  Start/Milestones/Funding 


FY  03 

FY04 

FY05 

Task  1:  Secure 
Operations  Language 

Task  2:  Secure 
Infrastructure  for 
Networked  Systems 

Task  3:  Application- 

Specific  Security 

Agent  Development 

Task  4:  Monitoring, 

Coordination,  and 
Experimentation 

S600K  S600K  S600K 


Project  Objectives 

Ensure  secure,  efficient,  and  robust 
distributed  system  interoperability. 
Additionally,  reduce  total  ownership 
costs,  allow  quick  and  easy  system 
upgrade  and  reconfiguration,  lower  the 
impact  of  COTS  upgrades,  and  reduce 
compatibility  problems. 


Project  Payoff/Impact  on  Naval  Needs 

•  Networked  systems  that  are  provably 
secure  and  intrusion  tolerant 

•  Networked  systems  that  are  flexible, 
reconfigurable,  and  survivable 

•  New  ways  of  tackling  complexity ,  the 
Achilles  heel  of  system  vulnerabilities 

•  Introduces  a  novel  notion  of  security  agents 
-  software  that  polices  malevolent  foreign 
code 
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END 
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